Upgrade to OmniAuth 2.0
What does this MR do and why?
- Upgrades to OmniAuth 2.0
- Our current version of Omniauth, v1.8, has a known CVE CVE-2015-9284. Although we are not currently vulnerable, as a security best practice we should upgrade to the latest version. The use of a gem with a known vulnerability is also causing concern for some of our customers.
- Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/30073
QA Checklist
This MR affects many OmniAuth providers. Before we merge/deploy, it is important to QA that each affected provider still works via a local test.
OmniAuth 2.0 made some changes to how relative root apps are handled. As a result, we want to test each OmniAuth strategy with both a regular GitLab installation and a relative URL GitLab installation. Docs on how to set up GitLab with a Relative URL are here.
To assist with QA:
- Add your GitLab username in the "QA to be done by" table field to indicate that you plan to check that strategy
- Check out this branch (
jy-oauth-2) locally - Set up your selected OAuth strategy in your dev installation of GitLab (don't forget to
gdk restartafter adding the config togitlab.yml) - Configure your dev installation of GitLab to live at a relative URL and re-test the strategy (this will require updating the OAuth client as well because you relative URL will need to be reflected in the client's
redirect_uri) - Update relevant table fields to indicate that QA was completed successfully. Or, if you run into errors during QA, ping @jessieay in a comment on this MR with that information.
| Provider Name | QA to be done by | Login test completed | Login test w/Relative URL installation completed |
|---|---|---|---|
| omniauth-azure-activedirectory-v2 | @jessieay |
2022-09-06T23:43:00Z
|
2022-09-07T23:54:38Z
|
| omniauth-azure-oauth2 | @jessieay |
2022-09-06T17:43:15Z
|
2022-09-07T23:30:30Z
|
| omniauth-cas3 | |||
| omniauth_crowd | @jessieay |
2022-09-06T19:27:54Z
|
2022-09-07T18:16:58Z
|
| omniauth-github | @anton |
2022-09-05T20:07:08Z
|
2022-09-05T20:07:08Z
|
| omniauth-google-oauth2 | @jessieay |
2022-09-02T21:25:02Z
|
2022-09-07T00:59:47Z
|
| omniauth-ldap | @jessieay |
2022-09-08T17:45:40Z
|
2022-09-08T18:37:52Z
|
| omniauth-salesforce | @jessieay |
2022-09-02T20:47:43Z
|
2022-09-07T17:32:38Z
|
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jessie Young